-
-
Save qbi/884420c9485f4717c14b to your computer and use it in GitHub Desktop.
Revisions
-
ageis revised this gist
Oct 26, 2015 . 1 changed file with 6 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ # Building a grsec-patched Linux kernel for Debian 8 and DigitalOcean It's possible to run a custom (instead of hypervisor-managed) kernel for use with Debian 8.x on a DigitalOcean droplet. We'll build one with grsecurity, "an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening". @@ -41,7 +41,7 @@ Start with the VPS's existing kernel configuration, and then configure stuff: cp /boot/config* .config make menuconfig Under *Security options*, enable Grsecurity (press Y), set *Configuration Method* to **Automatic**, set *Usage Type* to **Server**, set *Virtualization Type* to **Guest**, set *Virtualization Software* to **KVM** and *Required Priorities* to **Security**. Save and exit. You may want to ensure all CPU cores participate in the build by exporting this environment variable: @@ -83,7 +83,7 @@ Set some PaX flags for GRUB: paxctl -Cpm /usr/bin/grub-script-check paxctl -Cpm /usr/bin/grub-mount You may find that some stuff won't work like common interpreters for scripting languages because of memory protection. As an example, you can disable MPROTECT for Python like so: paxctl -c /usr/bin/python2.7 paxctl -m /usr/bin/python2.7 @@ -124,4 +124,6 @@ Return to function (strcpy, PIE) : paxtest: return address contains a NU Return to function (memcpy, PIE) : Killed ``` Congratulations! You're now running [grsecurity](https://grsecurity.net/) on your Debian DigitalOcean droplet. A similar process should work on a Linode VPS with PV-GRUB enabled, you'd just have to select Xen as the virtualization type instead (unless your Linode is on their brand new, upgraded KVM infrastructure). At [Freedom of the Press Foundation](https://freedom.press), we've been working on automating this whole process with [Ansible](https://github.com/ansible/ansible). Check out our [GitHub repository](https://github.com/freedomofpress/grsec/tree/develop)! -
Oct 26, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -53,7 +53,7 @@ Now you can compile the kernel. It can take a while to finish, and ideally you s In the parent directory, you'll have the package `linux-image-4.2.4-grsec_4.2.4-grsec-10.00.Custom_amd64.deb`. Copy it to the target machine and install with `dpkg -i`. Install some tools to use with [PaX](https://en.wikipedia.org/wiki/PaX) (which hardens userland binaries against common exploitation techniques based on memory corruption): apt-get install paxtest paxctl -
Oct 26, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,7 +4,7 @@ It's possible to run a custom (instead of hypervisor-managed) kernel for use wit We'll build one with grsecurity, "an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening". **Note:** The stable patches for Linux 3.14.x and 3.2.x are not publicly available anymore, so we'll be applying the free 4.2.x (test) patch. The URLs and filenames in this document may become outdated, so fetch the latest from [grsecurity.net](https://grsecurity.net) and [kernel.org](https://www.kernel.org/). Install dependencies: -
Oct 26, 2015 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,8 @@ # Building a grsec-patched Linux kernel for Debian 8 and DigitalOcean It's possible to run a custom (instead of hypervisor-managed) kernel for use with Debian 8.x on a DigitalOcean droplet. We'll build one with grsecurity, "an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening". **Note:** The stable patches for Linux 3.14.x and 3.2.x are not publicly available anymore, so we'll be applying the free 4.2.x (test) patch. The URLs and filenames in this document may become out of date, if that happens check [grsecurity.net](https://grsecurity.net) and [kernel.org](https://www.kernel.org/). -
Oct 26, 2015 . 1 changed file with 17 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,9 @@ # Building a grsec-patched Linux kernel for Debian 8 and DigitalOcean It's possible to run a custom (instead of hypervisor-managed) kernel for use with Debian 8.x on a DigitalOcean droplet. We'll build one with [grsecurity](https://grsecurity.net/), "an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening". **Note:** The stable patches for Linux 3.14.x and 3.2.x are not publicly available anymore, so we'll be applying the free 4.2.x (test) patch. The URLs and filenames in this document may become out of date, if that happens check [grsecurity.net](https://grsecurity.net) and [kernel.org](https://www.kernel.org/). Install dependencies: apt-get install libncurses5-dev build-essential fakeroot kernel-package gcc-4.9 gcc-4.9-plugin-dev make @@ -14,21 +18,21 @@ Grab Spender's key and verify it: Grab the kernel source and grsecurity patch, plus signatures for each: wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.2.4.tar.xz wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.2.4.tar.sign wget https://grsecurity.net/test/grsecurity-3.1-4.2.4-201510251836.patch wget https://grsecurity.net/test/grsecurity-3.1-4.2.4-201510251836.patch.sig Verify that the signatures are good: gpg --verify grsecurity-3.1-4.2.4-201510251836.patch.sig gpg --verify linux-4.2.4.tar.sign Extract the kernel source and apply the patch: tar -xf linux-4.2.4.tar cd linux-4.2.4/ patch -p1 < ../grsecurity-3.1-4.2.4-201510251836.patch Start with the VPS's existing kernel configuration, and then configure stuff: @@ -45,7 +49,7 @@ Now you can compile the kernel. It can take a while to finish, and ideally you s fakeroot make-kpkg --initrd kernel_image In the parent directory, you'll have the package `linux-image-4.2.4-grsec_4.2.4-grsec-10.00.Custom_amd64.deb`. Copy it to the target machine and install with `dpkg -i`. Install some tools to use with PaX (which implements least privilege protections for memory pages): @@ -57,9 +61,9 @@ Grab the kernel version string used in the GRUB bootloader menu: Set the new kernel to boot by default, and reboot: sed -i "s/^GRUB_DEFAULT=.*$/GRUB_DEFAULT=\"Debian GNU\/Linux, with Linux 4.2.4-grsec\"/" /etc/default/grub update-grub grub-reboot "Advanced options for Debian GNU/Linux>Debian GNU/Linux, with Linux 4.2.4-grsec" shutdown -r now When the machine comes back after rebooting, check `uname -r` to verify that you're running grsec. -
Oct 26, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ Install dependencies: apt-get install libncurses5-dev build-essential fakeroot kernel-package gcc-4.9 gcc-4.9-plugin-dev make Grab Spender's key and verify it: -
Oct 26, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # Building a grsec-patched Linux kernel for Debian 8 and DigitalOcean Install dependencies: -
Oct 26, 2015 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -41,11 +41,11 @@ You may want to ensure all CPU cores participate in the build by exporting this export CONCURRENCY_LEVEL="$(grep -c '^processor' /proc/cpuinfo)" Now you can compile the kernel. It can take a while to finish, and ideally you shouldn't be doing this as root. fakeroot make-kpkg --initrd kernel_image In the parent directory, you'll have the package `linux-image-3.14.55-grsec_3.14.55-grsec-10.00.Custom_amd64.deb`. Copy it to the target machine and install with `dpkg -i`. Install some tools to use with PaX (which implements least privilege protections for memory pages): -
Oct 26, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -35,7 +35,7 @@ Start with the VPS's existing kernel configuration, and then configure stuff: cp /boot/config* .config make menuconfig Under *Security options*, enable Grsecurity (press Y), set *Configuration Method* to **Automatic**, set *Usage Type* to **Server**, set *Virtualization Type* to **Guest**, set *Virtualization Software* to **Xen** and *Required Priorities* to **Security**. Save and exit. You may want to ensure all CPU cores participate in the build by exporting this environment variable: -
Oct 26, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,121 @@ # Building a grsec-patched Linux kernel for Debian 8 and Digital Ocean Install dependencies: apt-get install libncurses5-dev build-essential fakeroot kernel-package git-core gcc-4.9 gcc-4.9-plugin-dev make Grab Spender's key and verify it: wget https://grsecurity.net/spender-gpg-key.asc gpg --import spender-gpg-key.asc gpg --keyserver pool.sks-keyservers.net --recv-key 647F28654894E3BD457199BE38DBBDC86092693E gpg --with-fingerprint spender-gpg-key.asc gpg --fingerprint 647F28654894E3BD457199BE38DBBDC86092693E Grab the kernel source and grsecurity patch, plus signatures for each: wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.55.tar.xz wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.55.tar.sign wget https://grsecurity.net/stable/grsecurity-3.1-3.14.55-201510251834.patch wget https://grsecurity.net/stable/grsecurity-3.1-3.14.55-201510251834.patch.sig Verify the signatures: gpg --verify grsecurity-3.1-3.14.55-201510251834.patch.sig gpg --verify linux-3.14.55.tar.sign Extract the kernel source and apply the patch: tar -xf linux-3.14.55.tar cd linux-3.14.55/ patch -p1 < ../grsecurity-3.1-3.14.55-201510251834.patch Start with the VPS's existing kernel configuration, and then configure stuff: cp /boot/config* .config make menuconfig Under *Security options*, enable Grsecurity (press Y), set *Configuration Method* to Automatic, set *Usage Type* to Server, set *Virtualization Type* to Guest, set *Virtualization Software* to Xen and *Required Priorities* to Security. Save and exit. You may want to ensure all CPU cores participate in the build by exporting this environment variable: export CONCURRENCY_LEVEL="$(grep -c '^processor' /proc/cpuinfo)" Now you can compile the kernel. Ideally you shouldn't be doing this as root. fakeroot make-kpkg --initrd kernel_image In the parent directory, you now have the package `linux-image-3.14.55-grsec_3.14.55-grsec-10.00.Custom_amd64.deb`. Copy it to the target machine and install with `dpkg -i`. Install some tools to use with PaX (which implements least privilege protections for memory pages): apt-get install paxtest paxctl Grab the kernel version string used in the GRUB bootloader menu: grep menuentry /boot/grub/grub.cfg | cut -d "'" -f2 | grep "grsec$" Set the new kernel to boot by default, and reboot: sed -i "s/^GRUB_DEFAULT=.*$/GRUB_DEFAULT=\"Debian GNU\/Linux, with Linux 3.14.55-grsec\"/" /etc/default/grub update-grub grub-reboot "Advanced options for Debian GNU/Linux>Debian GNU/Linux, with Linux 3.14.55-grsec" shutdown -r now When the machine comes back after rebooting, check `uname -r` to verify that you're running grsec. Set these sysctl variables (use `sysctl -p` to activate after editing `/etc/sysctl.conf`): kernel.grsecurity.rwxmap_logging = 0 kernel.grsecurity.grsec_lock = 1 Set some PaX flags for GRUB: paxctl -Cpm /usr/sbin/grub-probe paxctl -Cpm /usr/sbin/grub-mkdevicemap paxctl -Cpm /usr/sbin/grub-install paxctl -Cpm /usr/bin/grub-script-check paxctl -Cpm /usr/bin/grub-mount You may find that some stuff won't work because of memory protection. As an example, you can disable MPROTECT for Python like so: paxctl -c /usr/bin/python2.7 paxctl -m /usr/bin/python2.7 Run `paxtest blackhat` and check the output. If PaX is working, you should see something like this: ``` Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss : Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect) : Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable stack (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Writable text segments : Killed Anonymous mapping randomisation test : 33 bits (guessed) Heap randomisation test (ET_EXEC) : 23 bits (guessed) Heap randomisation test (PIE) : 40 bits (guessed) Main executable randomisation (ET_EXEC) : 33 bits (guessed) Main executable randomisation (PIE) : 33 bits (guessed) Shared library randomisation test : 33 bits (guessed) Stack randomisation test (SEGMEXEC) : 40 bits (guessed) Stack randomisation test (PAGEEXEC) : 40 bits (guessed) Arg/env randomisation test (SEGMEXEC) : 44 bits (guessed) Arg/env randomisation test (PAGEEXEC) : 44 bits (guessed) Randomization under memory exhaustion @~0: 33 bits (guessed) Randomization under memory exhaustion @0 : 33 bits (guessed) Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Killed Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy, PIE) : Killed ``` Congratulations! You're now running [grsecurity](https://grsecurity.net/) on your Debian DigitalOcean droplet. At [Freedom of the Press Foundation](https://freedom.press), we've been working on automating this whole process with [Ansible](https://github.com/ansible/ansible). Check out our [GitHub repository](https://github.com/freedomofpress/grsec/tree/develop)!